How AI in eDiscovery Raises Court Warnings and Privilege Risks
Generative AI is now embedded in eDiscovery to search, analyze, and review documents and prepare for litigation, driven by the need to cut through fragmented tools and manual handoffs to reach the small fraction of data that matters.
Anthropic’s recent launch of Claude for Legal shows how fast AI is being integrated into legal workflows. At the same time, courts are signaling that existing rules fully apply to AI, and firms must treat prompts, outputs, and the full interaction chain as discoverable records or risk sanctions, privilege waivers, and adverse rulings. In short, AI use in discovery is no longer experimental and must be governed with the same rigor as any other data source or review tool.
Key takeaways
- AI-generated data is now considered discoverable electronically stored information (ESI) under existing discovery rules.
- Courts are treating AI prompts, outputs, and conversation histories as potential evidence in litigation.
- Using consumer AI tools can create attorney-client privilege and confidentiality risks.
- AI-generated errors, including fabricated citations, are increasingly resulting in sanctions and monetary penalties.
- Organizations should incorporate AI data into litigation holds, discovery planning, and records management programs.
- Governance, employee training, and defensible AI policies are becoming essential components of legal risk management.
AI data is now established discoverable evidence
AI tools are embedded across legal and business functions. Drafting, summarization, and analysis are increasingly happening inside platforms like ChatGPT, Claude or Copilot. Organizations are simultaneously grappling with new governance challenges around AI-generated communications and records. Smarsh has explored these issues in depth, including why AI governance starts with complete capture, how to build an effective AI governance in financial services framework, and why AI governance expectations are rising — even without new rules. The same can be said for business communications with prospects, responses to customer questions via chatbots, and the use of AI to produce case citations in court. We've now arrived at the point where courts have made it clear that this activity produces discoverable electronically stored information (ESI).
A recent example comes from In re OpenAI, Inc. Copyright Infringement Litigation (S.D.N.Y.), where the court compelled production of millions of anonymized ChatGPT conversation logs under Rule 26(b)(1) Duties to Disclose.
What that decision establishes is that:
- AI-generated data is discoverable at scale
- Existing discovery rules apply without exception
- Novel data sources do not receive special treatment
What makes AI data harder to manage is not volume — it is the uniqueness of its structure and time-bound and context-dependent relationship between prompts and outputs. This creates a unique artifact where:
- Context matters as much as content
- Prompts and responses must be reviewed together
- Conversations evolve across multiple iterations
When preserved and produced as originally authored, a more complete record of intent, reasoning, and decision-making is created compared to traditional email threads. If not preserved as originally created, it must be reconstructed, introducing fragmentation, as AI interactions are spread across tools, accounts, and environments with inconsistent retention controls.
Where firms are getting exposed
Court decisions over the past year point to three areas where discovery risk is surfacing fastest.
Privilege is easier to lose than expected
In United States v. Heppner (S.D.N.Y., Feb. 17, 2026), the court held that a defendant’s use of Anthropic’s Claude did not qualify for attorney-client privilege or work product protection.
The reasoning was direct:
- The platform’s terms allowed data access and third-party disclosure
- That eliminated any reasonable expectation of confidentiality
- Submitting information to the AI tool was treated as disclosure to a third party
The significance is clear: Using consumer AI tools for legal-related content can break privilege entirely.
Other cases — Warner v. Gilbarco (E.D. Mich.) and Morgan v. V2X (D. Colo.) — offered more protection in limited contexts, particularly for self-represented litigants. But they do not change the broader direction for represented parties and corporate use.
AI records are being used as evidence
A March 2026 ruling from the Delaware Court of Chancery in a $250 million earnout breach of contract dispute shows how AI logs are being used in practice.
In that case:
- A CEO’s ChatGPT conversations were quoted in the opinion
- The logs were used to demonstrate intent and bad faith
- Deleted messages raised additional spoliation concerns
The significance:
AI tools are not just producing background data—they are capturing decision-making in a way courts are willing to rely on directly.
Courts are penalizing AI-generated errors
Judges are also taking a harder line and losing patience with AI-generated hallucinations.
Examples include:
- Whiting v. City of Athens (6th Cir.), where a $30,000 sanction was issued for lawyer’s use of over two dozen fabricated citations.
- State v. Gorso (MA), where attorneys received the states highest monetary fine for this category of misconduct ($10,000) for submitting a brief with 15 fabricated citations generated by an AI search tool
The significance:
- Verification is now a measurable risk calculation
- AI errors are treated as professional responsibility failures
- Financial exposure can be quantified before filing
This shifts AI use from convenience to accountability. In this and similar cases, courts are clear to attorneys – if you sign it, you own it.
Choosing the wrong AI tool creates discovery risk
Tool selection is no longer just a technology decision. It directly affects privilege, discovery scope, and defensibility. Firms need to be aware of 3rd, 4th, and 5th party risks of AI model providers as well as the underlying components embedded into their platforms. The presence of audited controls, support for industry data protection standards, and client-exposed controls over use of data are all fundamental due diligence elements. Change management policies to alert customers to changes in models and key features should also be transparent and readily accessible.
At a minimum, firms should evaluate AI platforms against four practical criteria:
- Confidentiality protections
Does the provider restrict data use and third-party access? - Deletion control
Can data be fully removed on demand? - Documented data protection safeguards
Can you prove how data is handled if challenged? - Integration with compliance systems
Can AI activity be delivered and integrated with communications compliance solutions?
The Morgan v. V2X decision is especially noteworthy. Courts are beginning to expect documented contractual safeguards — specifically around training restrictions, deletion rights, and transparency.
Consumer-oriented tools often fail these tests. Enterprise tools may meet them — but only when used within controlled workflows.
How firms are reducing AI-related eDiscovery risk
More firms are getting ahead of these challenges are not waiting for more case decisions. They are tightening governance now.
Expand litigation holds to include AI data
AI prompts, outputs, logs, and metadata should be explicitly included in preservation requirements. This alone may cause firms to reconsider AI retention policy decisions, along with the due diligence and inspection of data protection practices of AI model providers.
This also aligns with how courts are defining discoverable AI records in cases like In re OpenAI.
Address AI early in discovery planning
AI usage should be raised at the Rule 26(f) Meet and Confer conference:
- Identify which tools were used
- Determine where data resides
- Clarify personal vs. enterprise usage
Early alignment reduces downstream disputes.
Keep AI use under clear policy controls
Privilege is strongest when AI use is governed by explicit policy controls.
The contrast between Heppner and Morgan makes this clear:
- Unsupervised use weakens protection
- Structured, documented use strengthens it
Make citation verification standard practice
Cases like Whiting show that courts expect validation.
A practical approach:
- Count all citations and quotations
- Apply known penalty frameworks
- Compare exposure to verification cost
Skipping this step creates defensibility challenges from the outset.
Train employees across the business
Many of the risks identified in these cases stem from employee behavior, not discovery strategy. Shadow AI risks are amplified by the easy accessibility of AI tools, which can arise from any corner of the organization, and can easily morph into litigation exposure.
At a minimum, on-going employee training should cover:
- Approved vs. unapproved tools and use cases
- What data cannot be entered into AI systems
- Examples of recent cases (and consequences) of where AI was improperly used
The bottom line
Courts are not rewriting the rules for AI. They are enforcing the ones that already exist.
Cases like In re OpenAI, Heppner, Morgan, and Whiting all point in the same direction:
- AI data is discoverable
- Privilege depends on how tools are used
- Errors carry financial consequences
- Governance determines outcomes
Firms that treat AI oversight as a core discipline are already adjusting. Others are learning through litigation — which is a far more expensive way to get there.
(Disclaimer: Smarsh does not provide legal advice opinions. You must consult with your attorneys regarding compliance with applicable laws and regulations)
Frequently asked questions
Courts have consistently held that generative AI tools are not attorneys and cannot create attorney-client privilege on their own — but the question of whether AI outputs receive any protection turns heavily on who used the tool and how.
Confidentiality and privilege is the most common issue, followed by fabricated citations
Courts have not yet required disclosure of training data as such.
Cited sources
BakerHostetler. In re OpenAI, Inc. Copyright Infringement Litigation (S.D.N.Y.). https://www.bakerlaw.com/in-re-openai-inc-copyright-infringement-litigation/
Everlaw. Morgan v. V2X: AI Disclosure in Discovery. https://www.everlaw.com/blog/ai-and-law/morgan-v-v2x-ai-disclosure-in-discovery/
Harvard Law Review. United States v. Heppner. https://harvardlawreview.org/blog/2026/03/united-states-v-heppner/
Justia. Warner v. Gilbarco Inc. https://law.justia.com/cases/federal/district-courts/michigan/miedce/2:2024cv12333/379552/94/
Justia. Whiting v. City of Athens. U.S. Court of Appeals for the Sixth Circuit. https://law.justia.com/cases/federal/appellate-courts/ca6/25-5424/25-5424-2026-03-13.html
Massachusetts Bar Association. Massachusetts Lawyer Sanctioned for AI-Generated Fictitious Cases. https://www.msba.org/site/site/content/News-and-Publications/News/General-News/Massachusetts_Lawyer-Sanctioned_for_AI_Generated-Fictitious_Cases.aspx
Reuters. Anthropic Expands Claude's AI Tools for Law Firms, Lawyers. https://www.reuters.com/legal/litigation/anthropic-expands-claudes-ai-tools-law-firms-lawyers-2026-05-12/
The Guardian. Subnautica 2 Publisher Krafton Reinstates CEO After ChatGPT-Backed Bonus Dispute. https://www.theguardian.com/technology/2026/mar/18/subnautica-2-publisher-krafton-ceo-reinstated-ai-chatgpt-failed-bid-avoid-paying-bonus
Share this post!
- How AI in eDiscovery Raises Court Warnings and Privilege Risks - June 8, 2026
- Managing Generative and Agentic AI Compliance Risk in Financial Services - April 3, 2026
- AI Governance in Financial Services Framework - April 3, 2026
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].
FOLLOW US